Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19/11/2024, 09:51
General
-
Target
25aaf1597342a25b77d8dce1160f70d8254c0f0da8427ecfb8f552e8dc5168f2.exe
-
Size
69KB
-
MD5
5078693d1ed4ac9bb3f9915b123eb2dd
-
SHA1
7c07df0a4f7eaa7024f057765d8a4942d0dca75b
-
SHA256
25aaf1597342a25b77d8dce1160f70d8254c0f0da8427ecfb8f552e8dc5168f2
-
SHA512
e2d4c19452eafe33a2e44e6525d6148e6c9a9f40382631c1e1093978be9387f8c2494b729b8b38d1d101a3b377999c1fdae359a1c474ea45f356325fdafe0b05
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJULh1214ar4f:ymb3NkkiQ3mdBjFIFdJmdar4f
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\25aaf1597342a25b77d8dce1160f70d8254c0f0da8427ecfb8f552e8dc5168f2.exe"C:\Users\Admin\AppData\Local\Temp\25aaf1597342a25b77d8dce1160f70d8254c0f0da8427ecfb8f552e8dc5168f2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\4640404.exec:\4640404.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnntb.exec:\thnntb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\642822.exec:\642822.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2824002.exec:\2824002.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0068466.exec:\0068466.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbnbnn.exec:\tbnbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2240868.exec:\2240868.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\02840.exec:\02840.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u608686.exec:\u608686.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpdp.exec:\vvpdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2206462.exec:\2206462.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\084888.exec:\084888.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlxflf.exec:\rrlxflf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllxxff.exec:\xllxxff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjvp.exec:\jjjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbtbh.exec:\nbbtbh.exe17⤵
- Executes dropped EXE
-
\??\c:\626224.exec:\626224.exe18⤵
- Executes dropped EXE
-
\??\c:\6664202.exec:\6664202.exe19⤵
- Executes dropped EXE
-
\??\c:\046420.exec:\046420.exe20⤵
- Executes dropped EXE
-
\??\c:\hhnntt.exec:\hhnntt.exe21⤵
- Executes dropped EXE
-
\??\c:\0662282.exec:\0662282.exe22⤵
- Executes dropped EXE
-
\??\c:\nnhnnn.exec:\nnhnnn.exe23⤵
- Executes dropped EXE
-
\??\c:\2608680.exec:\2608680.exe24⤵
- Executes dropped EXE
-
\??\c:\llrlxrl.exec:\llrlxrl.exe25⤵
- Executes dropped EXE
-
\??\c:\4602840.exec:\4602840.exe26⤵
- Executes dropped EXE
-
\??\c:\jdppd.exec:\jdppd.exe27⤵
- Executes dropped EXE
-
\??\c:\flxrrrx.exec:\flxrrrx.exe28⤵
- Executes dropped EXE
-
\??\c:\djpvp.exec:\djpvp.exe29⤵
- Executes dropped EXE
-
\??\c:\82888.exec:\82888.exe30⤵
- Executes dropped EXE
-
\??\c:\82680.exec:\82680.exe31⤵
- Executes dropped EXE
-
\??\c:\442404.exec:\442404.exe32⤵
- Executes dropped EXE
-
\??\c:\64020.exec:\64020.exe33⤵
- Executes dropped EXE
-
\??\c:\vdpjv.exec:\vdpjv.exe34⤵
- Executes dropped EXE
-
\??\c:\nhnntn.exec:\nhnntn.exe35⤵
- Executes dropped EXE
-
\??\c:\40622.exec:\40622.exe36⤵
- Executes dropped EXE
-
\??\c:\8648442.exec:\8648442.exe37⤵
- Executes dropped EXE
-
\??\c:\4806408.exec:\4806408.exe38⤵
- Executes dropped EXE
-
\??\c:\ddvpd.exec:\ddvpd.exe39⤵
- Executes dropped EXE
-
\??\c:\048206.exec:\048206.exe40⤵
- Executes dropped EXE
-
\??\c:\6606020.exec:\6606020.exe41⤵
- Executes dropped EXE
-
\??\c:\lflflfl.exec:\lflflfl.exe42⤵
- Executes dropped EXE
-
\??\c:\xxfxlxl.exec:\xxfxlxl.exe43⤵
- Executes dropped EXE
-
\??\c:\3hhnnh.exec:\3hhnnh.exe44⤵
- Executes dropped EXE
-
\??\c:\jppjp.exec:\jppjp.exe45⤵
- Executes dropped EXE
-
\??\c:\8220680.exec:\8220680.exe46⤵
- Executes dropped EXE
-
\??\c:\624826.exec:\624826.exe47⤵
- Executes dropped EXE
-
\??\c:\rlrxfxf.exec:\rlrxfxf.exe48⤵
- Executes dropped EXE
-
\??\c:\004220.exec:\004220.exe49⤵
- Executes dropped EXE
-
\??\c:\6024624.exec:\6024624.exe50⤵
- Executes dropped EXE
-
\??\c:\888428.exec:\888428.exe51⤵
- Executes dropped EXE
-
\??\c:\62082.exec:\62082.exe52⤵
- Executes dropped EXE
-
\??\c:\022664.exec:\022664.exe53⤵
- Executes dropped EXE
-
\??\c:\88680.exec:\88680.exe54⤵
- Executes dropped EXE
-
\??\c:\806008.exec:\806008.exe55⤵
- Executes dropped EXE
-
\??\c:\22086.exec:\22086.exe56⤵
- Executes dropped EXE
-
\??\c:\ddpjv.exec:\ddpjv.exe57⤵
- Executes dropped EXE
-
\??\c:\ffflxfx.exec:\ffflxfx.exe58⤵
- Executes dropped EXE
-
\??\c:\2222068.exec:\2222068.exe59⤵
- Executes dropped EXE
-
\??\c:\pppdv.exec:\pppdv.exe60⤵
- Executes dropped EXE
-
\??\c:\nnbbnt.exec:\nnbbnt.exe61⤵
- Executes dropped EXE
-
\??\c:\bntbbn.exec:\bntbbn.exe62⤵
- Executes dropped EXE
-
\??\c:\vdpjp.exec:\vdpjp.exe63⤵
- Executes dropped EXE
-
\??\c:\4862460.exec:\4862460.exe64⤵
- Executes dropped EXE
-
\??\c:\66602.exec:\66602.exe65⤵
- Executes dropped EXE
-
\??\c:\hhbhbb.exec:\hhbhbb.exe66⤵
-
\??\c:\tnnhtt.exec:\tnnhtt.exe67⤵
-
\??\c:\rrrlxfr.exec:\rrrlxfr.exe68⤵
-
\??\c:\42626.exec:\42626.exe69⤵
-
\??\c:\lrlfrfr.exec:\lrlfrfr.exe70⤵
-
\??\c:\nbtntn.exec:\nbtntn.exe71⤵
-
\??\c:\tbhbhh.exec:\tbhbhh.exe72⤵
-
\??\c:\62662.exec:\62662.exe73⤵
-
\??\c:\8862064.exec:\8862064.exe74⤵
-
\??\c:\u624246.exec:\u624246.exe75⤵
-
\??\c:\jppdv.exec:\jppdv.exe76⤵
-
\??\c:\2400844.exec:\2400844.exe77⤵
-
\??\c:\22082.exec:\22082.exe78⤵
-
\??\c:\2686208.exec:\2686208.exe79⤵
-
\??\c:\46640.exec:\46640.exe80⤵
-
\??\c:\ntbbhh.exec:\ntbbhh.exe81⤵
-
\??\c:\bbnntn.exec:\bbnntn.exe82⤵
-
\??\c:\626646.exec:\626646.exe83⤵
-
\??\c:\8840208.exec:\8840208.exe84⤵
-
\??\c:\jjpvp.exec:\jjpvp.exe85⤵
-
\??\c:\6680842.exec:\6680842.exe86⤵
-
\??\c:\40600.exec:\40600.exe87⤵
-
\??\c:\o088246.exec:\o088246.exe88⤵
-
\??\c:\rflxxlx.exec:\rflxxlx.exe89⤵
-
\??\c:\028208.exec:\028208.exe90⤵
-
\??\c:\46266.exec:\46266.exe91⤵
-
\??\c:\pjjvp.exec:\pjjvp.exe92⤵
-
\??\c:\28686.exec:\28686.exe93⤵
-
\??\c:\ddvpp.exec:\ddvpp.exe94⤵
-
\??\c:\lxfxrll.exec:\lxfxrll.exe95⤵
-
\??\c:\ffrrrrl.exec:\ffrrrrl.exe96⤵
-
\??\c:\0084804.exec:\0084804.exe97⤵
-
\??\c:\666842.exec:\666842.exe98⤵
-
\??\c:\62804.exec:\62804.exe99⤵
-
\??\c:\4420802.exec:\4420802.exe100⤵
-
\??\c:\pjppd.exec:\pjppd.exe101⤵
-
\??\c:\ttnbtb.exec:\ttnbtb.exe102⤵
-
\??\c:\pjdjv.exec:\pjdjv.exe103⤵
-
\??\c:\jdjpd.exec:\jdjpd.exe104⤵
-
\??\c:\6480640.exec:\6480640.exe105⤵
-
\??\c:\c224280.exec:\c224280.exe106⤵
-
\??\c:\6608828.exec:\6608828.exe107⤵
-
\??\c:\fxrxffr.exec:\fxrxffr.exe108⤵
-
\??\c:\bnbbhh.exec:\bnbbhh.exe109⤵
-
\??\c:\rxlfrfr.exec:\rxlfrfr.exe110⤵
-
\??\c:\6222260.exec:\6222260.exe111⤵
-
\??\c:\q84220.exec:\q84220.exe112⤵
-
\??\c:\nnnhth.exec:\nnnhth.exe113⤵
-
\??\c:\hnthtn.exec:\hnthtn.exe114⤵
-
\??\c:\ntbbbt.exec:\ntbbbt.exe115⤵
-
\??\c:\bnbbhh.exec:\bnbbhh.exe116⤵
-
\??\c:\fffxlrl.exec:\fffxlrl.exe117⤵
-
\??\c:\vpjpj.exec:\vpjpj.exe118⤵
-
\??\c:\068844.exec:\068844.exe119⤵
-
\??\c:\fffrlfr.exec:\fffrlfr.exe120⤵
-
\??\c:\nbttbt.exec:\nbttbt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-